Now more than ever, finance needs to navigate the burdens of compliance

AGCS’s Paul Schiavone highlights some of the most significant risks for the financial services industry.

Financial institutions and their directors have to navigate a rapidly changing world marked by new and emerging risks. These are driven by cyber exposures based on the sector’s reliance on technology, a growing burden of compliance and the turbulence of Covid-19.

At Allianz Global Corporate Specialty (AGCS), we recently produced some research highlighting some of the most significant risks for banks, asset managers, private equity funds, insurers and other players in the financial services industry, as ranked in the Allianz Risk Barometer 2021, which surveyed over 900 sector respondents. Cyber incidents, pandemic outbreak and business interruption ranked as the top three risks, followed by changes in legislation and regulation – driven by Environmental, Social and Governance (ESG) and climate change concerns in particular. Macroeconomic developments, such as rising credit risk and the impact of the ongoing low interest rate environment, ranked fifth. Below are some of the trends we see in the financial services space.

Covid-19 impacts
Financial institutions are alive to the potential ramifications of government and central bank responses to the pandemic, such as low interest rates, rising government debt and the winding down of support and grants and loans to businesses. Large corrections or adjustments in markets – such as in equities, bonds or credit – could result in potential litigation from investors and shareholders, while an increase in insolvencies could also put some institutions’ own balance sheets under additional strain. Claims may be brought against directors and officers in the financial services industry where there has been a perceived failure to foresee, disclose or manage or prepare for Covid-19 related risks.

Companies are also planning for a return to the workplace in coming months, but with infection risks likely to persist for some time yet, getting workers back into offices is a task without precedent. This is likely to be a huge source of uncertainty, raising difficult questions around Covid-19 infection liability, vaccinations and privacy issues with regards to the medical information of employees. Inadequate return to office plans could even see employers face liabilities related to employment practices and whistleblowing claims.

Cyber – risk concerns grow despite high level of security spend
An AGCS analysis of 7,654 insurance claims for the financial services sector over the past five years, worth approximately €870 million (about R14.6 billion), show that cyber incidents, including crime, already rank as the top cause of loss by value, and the risk landscape isn’t going to get any easier anytime soon.

The Covid-19 environment is also providing fertile ground for criminals seeking to exploit the crisis, given the rapid and largely unplanned increase in home working, electronic trading and acceleration in digitalisation.

Despite significant cyber security spending, financial services companies are an attractive target and face a wide range of cyber threats including business email compromise attacks, ransomware campaigns, ATM “jackpotting” – where criminals take control of cash machines through network servers – or supply chain attacks. The recent SolarWinds incident targeted banks and regulatory agencies, demonstrating the potential vulnerabilities of the sector to outages via their reliance on third-party service providers.

Most financial institutions are now making use of cloud services-run software which comes with a growing reliance on a relatively small number of providers. Institutions face sizable business interruption exposures, as well as third party liabilities, when things go wrong.

We recently had a bank client suffer a large data breach after a third-party vendor failed to delete personal information when decommissioning hardware. How financial institutions manage risks presented by the cloud and third party service providers will be critical going forward. However, by partnering with the right cloud service provider, companies can also leverage the cloud as a way to manage their overall cyber exposure.

Compliance challenges mount
Compliance is one of the biggest challenges for the financial services industry, with legislation and regulation around cyber, new technologies and climate change and ESG factors evolving and increasing. Indeed, our report notes that there has been a seismic shift in the regulatory view of privacy and cyber security in recent years with firms facing a growing bank of requirements. The consequences of data breaches are far-reaching, with more aggressive enforcement, higher fines and regulatory costs, and growing third party liability, followed by litigation.

Regulators are increasingly focusing on business continuity, operational resilience and the management of third party risk following a number of major outages at banks and payment processing companies. Companies need to operationalise their response to regulation and privacy rights, not just look at cyber security.

Applications of new technologies such as Artificial Intelligence (AI), biometrics and virtual currencies will likely raise new risks and liabilities in future, in large part from compliance and regulation. With AI, there have already been regulatory investigations in the US related to the use of unconscious bias in algorithms for credit scoring. There have also been a number of lawsuits related to the collection and use of biometric data.

The growing acceptance of digital or cryptocurrencies as an asset class will ultimately present operational and regulatory risks for financial institutions with uncertainty around potential asset bubbles and concerns about money laundering, ransomware attacks, the prospect of third-party liabilities and even ESG issues as “mining” or creating cryptocurrencies uses large amounts of energy.

We note with interest that in the US the Securities Exchange Commission is already showing an increasing interest in this area, having brought 75 enforcement actions against cryptocurrency participants over several years.

Finally, the growth in stock market investment, guided by social media, raises mis-selling concerns – already one of the top causes of insurance claims involving financial institutions.

ESG factors hold companies to account
Financial institutions and capital markets are seen as an important facilitator of the change needed to tackle climate change and encourage sustainability. Again, regulation is setting the pace. There have been over 170 ESG regulatory measures introduced globally since 2018, with Europe leading the way. The surge in regulation, in combination with inconsistent approaches across jurisdictions and a lack of data availability, represents significant operational and compliance challenges for financial service providers.

At the same time, activist shareholders or stakeholders increasingly focus on ESG topics. Climate change litigation, in particular, is beginning to include financial institutions. Cases have previously tended to focus on the nature of investments, although there has been a growing use of litigation seeking to drive behavioural shifts and force disclosure debate.

Besides climate change, broader social responsibilities are coming under scrutiny, with board remuneration and diversity particular hot topics. Social and environmental trends are increasingly sources of regulatory change and liability, while increased disclosure and reporting will make it much easier to hold companies and their boards to account. Companies that commit to addressing these topics will need to follow through. For those that do not, it will come back to haunt them.

Claims and insurance outlook
The AGCS report also highlights some of the major causes of claims that insurers see from financial institutions. The fact that compliance risk is growing is concerning, as compliance issues are already one of the biggest drivers of claims. Keeping abreast of compliance in a rapidly-changing world is a tough task for companies and their directors and officers. Their burden is enormous.

As already highlighted, cyber incidents result in the most expensive claims and insurers are seeing a rising number of technology-related losses including claims made against directors following major privacy breaches. Other examples include sizable claims related to fraudulent payment instructions and “fake president” scams. Such payments can be in the millions of dollars.

AGCS has also handled a number of liability claims arising from technical problems with exchanges and electronic processing systems where systems have gone down and clients have not been able to execute trades, and have made claims against policyholders for loss of opportunity.

There have also been claims where a system failure has caused damages to a third party; one financial institution suffered a significant loss after a trading system crashed, causing processing failures for customers.

Recent loss activity, compounded by Covid-19 uncertainty, has contributed to a recasting of the insurance market for financial institutions, characterised by adjusted pricing and enhanced focus on risk selection by insurers, but also increasing interest in alternative risk transfer solutions, in addition to traditional insurance. A growing number of companies are partnering with insurers to manage risk and regulatory capital requirements or using captive insurers to compensate for changes in the insurance markets or to finance more difficult-to-place risks.

At AGCS, we are committed to engaging with financial institutions to help them mitigate their exposures and develop adequate risk transfer solutions for a sector that is embarking on a major transformation, driven by fast-paced technology adoption and growing ESG issues, while having to master the impact of the Covid-19 pandemic.